07 Apr, 2023

Kerberos

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

Kerberos is a network authentication protocol designed to provide secure authentication for client/server applications by using secret-key cryptography. It was developed by MIT and is widely used in enterprise environments to provide secure authentication and authorization services. Kerberos uses a trusted third-party authentication server, known as the Key Distribution Center (KDC), to authenticate users and grant them access to network resources. The protocol is designed to prevent eavesdropping, replay attacks, and other types of network attacks by using strong cryptography and trusted servers.

Kerberos common ports

TCP/UDP 88: Kerberos authentication protocol

TCP/UDP 464: Kerberos Change/Set Password (kpasswd) protocol (used when changing user passwords)

Tools for using protocol Kerberos

Manual Tools:

  • Kerberos Client Tool (Klist): A command-line tool that displays the contents of the Kerberos ticket cache and allows users to purge tickets.

  • Kerberos Ticket Viewer (Ktutil): A command-line tool for managing Kerberos keytabs and ticket caches.

  • Kerberos Authentication Debugger (Kadmind): A command-line tool for debugging Kerberos authentication issues on Unix systems.

  • Wireshark: A network protocol analyzer that can be used to capture and analyze Kerberos network traffic.

  • Tcpdump: A command-line tool that can be used to capture and analyze Kerberos network traffic.

  • Kerberos Analyzer (Krb5trace): A command-line tool for analyzing Kerberos network traffic.

Automated Tools:

  • MIT Kerberos Test Suite: A suite of automated tests for Kerberos that can be used to verify the functionality of a Kerberos implementation.

  • Kerberos Bruteforcer (KerbCrack): A password cracking tool that uses brute force techniques to crack Kerberos passwords.

  • Kerberoast: A tool for extracting Kerberos service account hashes from Active Directory domain controllers.

  • Impacket: A collection of Python classes for working with network protocols, including Kerberos.

  • Mimikatz: A post-exploitation tool that can be used to extract Kerberos tickets and other credentials from a compromised Windows system.

  • CrackMapExec: A post-exploitation tool that can be used to extract Kerberos tickets and other credentials from a compromised Windows system.

  • Responder: A tool for performing rogue network service attacks, including Kerberos attacks.

  • Kerberos Thing-A-Ma-Jig (ktaj): A tool for testing Kerberos configurations and service principals.

  • Kerberos SSO (SSOCheck): A tool for testing Single Sign-On (SSO) configurations using Kerberos authentication.

  • BloodHound: A tool for analyzing Active Directory environments, including Kerberos configurations.

  • Kerberos-Induced Failures (KIF): A tool for testing the resilience of Kerberos configurations to various attacks.

  • Kerberos Scan (Kscan): A tool for scanning networks for Kerberos services and vulnerabilities.

  • Kerberos Authentication Tester (KAT): A tool for testing the authentication and authorization mechanisms of Kerberos implementations.

  • Kerberos Security Analyzer (KSA): A tool for analyzing the security of Kerberos configurations and detecting potential vulnerabilities.

  • Kerberos Recon (Krecon): A tool for performing reconnaissance on Kerberos configurations and service principals.

Last five known CVE for Kerberos

• CVE-2023-27536: An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. 

• CVE-2023-23749: The ‘LDAP Integration with Active Directory and OpenLDAP – NTLM & Kerberos Login’ extension is vulnerable to LDAP Injection since is not properly sanitizing the ‘username’ POST parameter. An attacker can manipulate this paramter to dump arbitrary contents form the LDAP Database. 

• CVE-2023-21817: Windows Kerberos Elevation of Privilege Vulnerability 

• CVE-2022-47508: Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos. 

• CVE-2022-45141: PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has “a similar bug.” 

Useful information

– Kerberos is a network authentication protocol that provides strong authentication for client/server applications.

– It is designed to provide secure authentication in a network environment where users access network services from multiple devices.

– Kerberos uses symmetric key cryptography to secure communications between clients and servers.

– The protocol uses a trusted third party, known as the Key Distribution Center (KDC), to issue and manage authentication credentials.

– Kerberos provides mutual authentication, where both the client and the server authenticate each other’s identity, and then establish a secure session.

– Kerberos provides single sign-on (SSO) functionality, which means that once a user has authenticated to the network, they do not need to provide their credentials again when accessing different resources.

– The Kerberos protocol is widely used in enterprise environments, and is supported by most operating systems, including Windows, Linux, and macOS.

– Kerberos is vulnerable to a number of attacks, such as brute-force attacks, replay attacks, and man-in-the-middle attacks. To mitigate these risks, it is important to follow best practices for Kerberos configuration and maintenance, and to keep the Kerberos infrastructure up to date with the latest security patches.

– There are a number of tools available for testing and auditing Kerberos implementations, including both manual and automated tools. These tools can be used to identify security vulnerabilities, misconfigurations, and other issues that could put the Kerberos infrastructure at risk.

– Some popular tools for testing Kerberos include Kerbrute, Kerberoast, Mimikatz, Impacket, Crackmapexec, Bloodhound, and Powerview. These tools are used by security professionals to identify and exploit weaknesses in Kerberos authentication, and to test the effectiveness of Kerberos security controls.

Books for studies Kerberos

“Kerberos: The Definitive Guide” by Jason Garman – This book provides a comprehensive guide to the Kerberos protocol and its use in secure network authentication.

“Kerberos: A Network Authentication System” by Brian Tung – This book explains the Kerberos protocol in depth, covering the various components, processes, and configurations involved in setting up and using a Kerberos-based authentication system.

“Kerberos, Second Edition: The Definitive Guide” by Jason Garman, Ron Lepofsky, and Richard Silverman – This updated edition of the definitive guide to Kerberos includes new information on recent developments in the protocol and its use in modern network environments.

“Kerberos: The Myth, The Legend, The Reality” by Jason Garman – This book takes a deep dive into the history of Kerberos, its design principles, and its evolution over the years.

“Understanding Kerberos: A Quickstart Guide” by Eric Foster-Johnson – This quickstart guide provides an introduction to the Kerberos protocol and its use in secure network authentication, with practical examples and explanations.

“Implementing Kerberos: The Definitive Guide” by Ken Hornstein – This book provides a step-by-step guide to implementing a Kerberos-based authentication system, including detailed information on configuring servers, clients, and applications.

“Kerberos Authentication in a Windows Environment” by Brian Desmond, Joe Richards, and Robbie Allen – This book focuses specifically on Kerberos authentication in Windows environments, covering topics such as Kerberos ticketing, delegation, and troubleshooting.

“Kerberos: A Guide to Authentication in an Open Network Environment” by Orielly and Associates – This guide covers the basics of Kerberos, including its history, design principles, and key components, as well as practical advice for implementing and using the protocol in real-world environments.

“Kerberos, GSS-API, and SASL: The Safe and Secure Way to Manage Network Identity” by Brian Tung – This book provides an overview of the Kerberos protocol and its use in secure network authentication, as well as related authentication protocols such as GSS-API and SASL.

“Kerberos Network Authentication Service” by Zhongjie Ba and Lawrence Snyder – This book provides an introduction to the Kerberos protocol and its use in secure network authentication, with a focus on practical implementation and troubleshooting tips.

List of Payload for Kerberos

Kerberoast: a technique used to extract Kerberos ticket-granting ticket (TGT) hashes for offline brute force attacks.

Golden Ticket: a Kerberos attack that allows an attacker to generate a forged Kerberos TGT and use it to impersonate any user or computer on the network.

Silver Ticket: a Kerberos attack that allows an attacker to forge a service ticket for any service without needing to know the service account’s password.

Pass the Ticket: a Kerberos attack that allows an attacker to reuse a valid Kerberos ticket (TGT or service ticket) to access other resources on the network.

Overpass the Hash: a technique used to authenticate as a user or service account by passing a forged NTLM hash of their password to the Kerberos authentication system.

Kerberos Relay: an attack that intercepts Kerberos traffic between a client and a server and relays it to another server to gain unauthorized access.

AS-REP Roasting: a technique used to extract Kerberos AS-REP hashes for offline brute force attacks.

AS-REP Roasting with Rubeus: a variant of AS-REP Roasting attack using the Rubeus tool to extract Kerberos AS-REP hashes.

Kerberos Delegation: a feature of Kerberos that allows a service to impersonate a user and access other resources on their behalf, which can be exploited by attackers if not configured properly.

Kerberos Extension DLL Injection: an attack that injects a malicious DLL into the Kerberos authentication process to gain unauthorized access.

Mitigation

  1. Regularly update and patch Kerberos servers and clients to prevent known vulnerabilities from being exploited.

  2. Implement secure password policies, such as strong password requirements and frequent password changes, to prevent brute-force attacks on Kerberos credentials.

  3. Use firewalls and network segmentation to restrict access to Kerberos servers and minimize the impact of any successful attacks.

  4. Implement multi-factor authentication (MFA) to add an additional layer of security to Kerberos authentication.

  5. Monitor Kerberos logs and audit trails for suspicious activity, such as failed login attempts, unusual authentication patterns, or unexpected access to sensitive resources.

  6. Use network intrusion detection and prevention systems (IDS/IPS) to detect and block attacks on Kerberos.

  7. Limit the scope of Kerberos services to only what is necessary for the organization’s needs, and disable or remove any unnecessary Kerberos services or features.

  8. Provide regular security awareness training to users to help them recognize and avoid social engineering and phishing attacks that could be used to compromise Kerberos credentials.

Conclusion

Kerberos is a widely-used authentication protocol that provides a secure way of authenticating users, services, and hosts in a network. While it offers strong security features, it is still susceptible to attacks such as brute force attacks, replay attacks, and password guessing attacks. It is important to implement proper security measures, such as secure passwords and regular password changes, to mitigate the risks associated with Kerberos. Additionally, regular monitoring and patching of any known vulnerabilities is crucial to ensure the security of a Kerberos implementation.

Other Services

Ready to secure?

Let's get in touch